Real-Time Adaptive and Lightweight Anomaly Detection Based on a Chaotic System in Cyber–Physical Systems

Abstract

When cyber–physical systems (CPSs) are connected to the Internet or other CPSs with connectivity, external adversaries can potentially gain access to the CPS and attempt to control the electronic control units (ECUs). In particular, the lack of confidentiality and integrity in the controller area networks (CANs) of CPSs makes it difficult to distinguish malicious data from legitimate data. The security vulnerabilities of CPSs, which are frequently exposed to adversaries, pose the risk of destabilizing the lives of humans. Therefore, we propose a real-time adaptive and lightweight anomaly detection (RALAD) mechanism that efficiently and securely detects anomalies within a given virtual group though verification of the data integrity and key management of stateless synchronization based on a chaotic system while driving. These characteristics prevent an adversary from authenticating maliciously modified messages even though it captures legitimate messages on the CAN bus. RALAD shows a clear difference from others in terms of (1) its unique secret key-sharing method and approach to secret key generation for each message, (2) safe controlling support after detecting anomalies, and (3) its software-based solution that eliminates the need for hardware secure modules. It leads to freedom from the issues of additional cost, weight, and wiring in CPSs. The proposed method achieves real-time anomaly detection, and the experiment results show a 100% detection rate for all attacks. This demonstrates that RALAD maintains high reliability and efficiency, even under various bus load conditions and attack rates.

1. Introduction

Cyber–physical systems (CPSs), which are a new generation of systems, are a set of complex systems that integrate tightly with individual components, including humans, of virtual and physical worlds [1]. One representative example of CPSs can be seen as an electric vehicle [2]. Capturing and adopting the nature of CPSs in electric vehicles (EVs) improves the architecture and functionality of them and strengthens driving performance, energy efficiency, safety, and battery lifetime. EVs are expanding their reach in the mainstream vehicular market. In particular, EVs play a central role in the rapid growth of global eco-friendly production in the United States of America, China, and the EU. USB, a major Swiss bank, expects that by 2025, 14% of all vehicles sold worldwide could be electric vehicles [3].

These days, to achieve not only energy efficiency but also driving convenience and high performance, EVs already contain new technology-based services. For example, EVs provide Internet access using 5G, with hardly any delay, an advanced driver assistance system (ADAS) with lane detection, collision avoidance, emergency braking using various sensors, and in-car entertainment using high-resolution displays. All of these are controlled by automotive Electronic Control Units (ECUs). ECUs are already used in chassis and body electronics both in existing vehicles with an internal combustion engine (ICE) and in EVs. Moreover, since EVs still require many ECUs to control DC converters, batteries, and charging controllers, the proportion of ECUs equipped in electric vehicles can be the same as or more than that of the existing ICE-based vehicles [4,5,6].

The functions of modern vehicles are required more abundantly to maximize driving performance, safety, and security, and complex software for these functions is integrated into in-vehicle ECUs to perform various and powerful functions. In addition to this, EVs have become more diverse with wireless communication technologies. Connected car-related technology is expanding its presence in the electric vehicle field as one of the technologies used to make fully autonomous driving a reality, since the Internet of Things (IoT) and cellular communication technology, including 5G, have recently become widespread [7,8].

However, we should not overlook that EVs’ convenience and new technology are not always best friends. The deployment of connectivity technologies, smart sensors, and electronic controllers allows EVs to be exposed to an increasing number of cyber–physical attacks. As the complexity and volume of implemented software increase, the flaws inherent in such complex software also increase, affecting the safety of EVs. For instance, while the number of EVs on the road is increasing due to consumer preference for self-driving cars and the demand for EVs, fires and sudden acceleration accidents are steadily occurring in EVs [9,10]. One reason may be the high dependence on software, which poses a risk of system errors or malfunctions. In addition, these flaws can be easily exploited as attack surfaces from external wireless links. Therefore, it has become easier for malicious intruders to infiltrate from outside by exploiting the vulnerabilities of complex software through wireless links. In January 2022, a German hacker (David Colombo) remotely hacked 25 Tesla electric vehicles in the United States using a flaw in their software system [11]. After one white hacker, who is a security researcher, unlocked the Tesla Model X, he stole it using Bluetooth [12]. A cyber–physical attack involves an attacker infecting ECUs over the network, turning them into spoofing nodes. After that, the node’s state can be switched to bus-off due to the intended transmission failure, which disrupts the network functionality [13,14]. Public chargers infiltrated by cyber–physical attacks can attack a power grid through the charger network. In early 2022, an EV charging station was shut down on the highway between Moscow and St. Petersburg in Russia due to a cyber–physical attack by a group of hackers [15]. An EV owner’s smartphone being connected to home chargers also presents a potential vector for a cyber–physical attack [16]. While data are exchanged, there is a risk of infection by malicious software against EVs and the connected chargers. Any vehicle comprising physical–electronic components and computing components (i.e., software) can potentially become a target of cyber–physical attacks. Therefore, to drive safely, the CPSs of EVs should be prepared against cyber–physical attacks and should provide a certain level of security. Meanwhile, it is difficult to identify various cyber–physical attacks since the existing detection methods are developed based on the cyber–physical attacks already known [17]. Therefore, this paper focuses on identifying anomalies including any cyber–physical attack involving an unknown cyber–physical attack. This is because anomaly detection is not only capable of identifying unknown cyber–physical attacks but also responds flexibly to them. An anomaly includes a certain event (i.e., fault, error, and cyber–physical attacks) in an abnormal state, diverged from expected data and behaviors [18].

When we consider deploying a security solution to EVs, a step-by-step security solution should be applied to each layer from the external network to individual in-vehicle networks, among in-vehicle networks, among ECUs, and from ECUs to sensors. Moreover, since the shared data are mainly used to control the vehicle’s operation in real-time, anomalies, especially cyber–physical attacks, injected into vehicles should be accurately detected on time. If the security solution to defend against cyber-attacks has a complex structure and requires a lot of resources to support a wide variety of functions, it can be difficult to detect dangerous situations due to the real-time security threats. In this regard, the security solution should be very lightweight and capable of blocking in real time, considering that the driving vehicle should defend against cyber-attacks while controlling the driving safely. Hence, we focus on the development of anomaly detection on the in-vehicle network through which sensing data are shared for driving control. To achieve this, we adopt a hybrid approach by integrating data integrity verification into anomaly detection in EVs.

In this paper, we propose a real-time adaptive and lightweight anomaly detection (RALAD) mechanism using chaotic system-enabled authentication in CAN (Controller Area Network), which is the main in-vehicle network. This paper aims to identify the integrity of control data shared between ECUs to detect cyber-attacks that provide unintended control data to disrupt safe driving. The proposed mechanism performs authentication for each transmission by all recipients who independently verify whether the control data sent by the sender have been manipulated.

This paper presents the following contributions. First, we adopt a hybrid approach to anomaly detection by applying the lightweight verification method of data integrity. Second, we adapt a chaotic system to implement synchronization of the secret key between the sender and the receiver so that it addresses the key exposure problem. Third, the proposed RALAD mechanism operates efficiently in real time during driving. Finally, the proposed security mechanism operates at the upper layers of the CAN controller and is distributed to individual entities of ECUs belonging to each multicast group defined by manufacturers. It does not require any change inside the existing vehicle, which has constraints on weight, wiring, and manufacturing costs. It can effectively regulate illicit control data in real time with low computational complexity.

The reminder of this paper is organized as follows. Section 2 discusses the background and challenges associated with providing a new security solution for in-vehicle networks. We then introduce our approach at an abstract level to achieve the objectives of this paper. Section 3 presents the overall design of RALAD. In Section 4, we evaluate the performance of the proposed RALAD. Finally, Section 5 provides our conclusions.

2. Background and Approaches

This section examines the challenges to be addressed in the in-vehicle network of CPSs. The in-vehicle network is a system for sharing essential control data for the vehicle’s safe driving. In addition, we analyze existing anomaly detection techniques for detecting cyber-attacks.

2.1. Overview of Controller Area Network

CAN is standardized by the ISO (International Organization for Standard) as an electronic communication bus defined by ISO-11898 and supports speeds of up to 1 Mbps [19,20]. It is a serial communication bus that is resistant to electrical interference. In addition, it has self-diagnostic and error-recovery capabilities to improve reliability and efficiency of communication. These characteristics of CAN, along with the low cost of the implementation of CAN and ECUs, have led to its widespread use in most vehicles today [21,22].

In existing vehicles with ICE, the CAN protocol has been widely used as the in-vehicle network [23]. This is because it is proven to support a practical control interface and enable digital control transmission, vehicle electronic systems, safety devices, and infotainment services. Furthermore, the CAN protocol plays a crucial role in EVs for the control of infotainment systems, battery management, battery charging, motor control, inverters, and multiple DC/DC converters. Hence, the CAN protocol is being applied in electric vehicle infrastructures such as charging and battery-swapping stations.

In order to share control data necessary for driving between many CAN nodes (i.e., ECUs), the CAN messages are broadcast through the CAN bus using a multi-master approach. CAN bus frames to be transmitted consist of four message types: data, remote, error, and overload frames. As shown in Figure 1, the CAN data frame consists of an identifier field used for arbitration, a data field containing control data, and a cyclic redundancy check (CRC) field used for detecting data transmission errors. The identifier field is divided into 11-bit identifiers of the standard format and 29-bit identifiers of the extended format. The payload of the data field can be up to eight bytes.

In CAN, the priority of transmission is determined by the identifier in the physical layer, with lower identifier values indicating higher priority. The identifiers used for CAN message transmission are defined and applied through a database that is referred to as CANDB. CANDB contains data that define the necessary messages, identifiers for each message, and the transmission intervals of each CAN message according to the requirements of each vehicle manufacturer.

2.2. Lack of Security Functionalities in Controller Area Network

Using the CAN protocol, the ECUs in a vehicle generally exchange control information required for driving. When ECUs exchange data, they can become vulnerable to security risks, particularly in connected vehicles. This is because CAN operates based on a broadcasting method to transmit messages to all nodes. In addition, unlike the Internet, which identifies nodes using IP addresses, CAN relies on unique message identifiers (i.e., the value of the identifier field of the CAN frame) in the arbitration field, as shown in Figure 1, to broadcast the control data required for driving.

CAN is solely concerned with ensuring that messages are reliably delivered to all recipients. As a result, it performs error control only for the transmission of each signal. If an error occurs in the bit stream that constitutes the data frame, the receiving CAN controller immediately sends an error frame to the transmitting node. This triggers the transmitting node to initiate a retransmission mechanism.

CAN does not concern itself with identifying who sent a message. In other words, the CAN mechanism cannot differentiate between nodes transmitting control data or verify whether a message has been tampered with. In this regard, there is no doubt that all nodes connected to the CAN bus, including malicious nodes, can monitor or eavesdrop on messages transmitted over the bus. This lack of security makes it easier for adversaries to exploit control data required for driving. This is because each CAN controller does not encrypt transmitted messages, or authenticate nodes and messages. Consequently, adversaries can easily exploit these security vulnerabilities in CAN by eavesdropping on the CAN bus and injecting malicious messages from both internal and external sources.

2.3. Considertation and Problem Definition to Provide Security Features for CAN

In this subsection, to clarify the key distinctions of the proposed security solution, we define several problems to be addressed and the features.

As mentioned earlier, the CAN protocol does not have built-in security features for message authentication and integrity verification. Therefore, the vehicle’s safety can no longer be guaranteed when adversaries attempt to compromise its driving operation by injecting malicious control data, causing it to enter an abnormal state. If this abnormal state occurs frequently and persistently, it may lead to physical damage due to control. A simple way to prevent this is for the receiving node to verify the transmitted control message for data integrity. It can significantly improve driving safety by ensuring that the transmitted control data have not been tampered with. Once a malicious message is detected on the receiving side, its transmission can be blocked and discarded. In CAN, when control data are detected in an abnormal state, the message is classified as a cyber–physical attack. This classification is carried out by performing message authentication along with data integrity verification. To accomplish that, it is necessary to address the following five considerations in CAN.

First, providing security features for the existing vehicles is challenging due to practical issues. For instance, installing additional hardware (e.g., secure module or enhanced CAN controller) on the existing vehicle platform is not only practically difficult but also requires replacing existing ECUs with more powerful ones. This would involve various challenges, including redesigning the vehicle’s structure, increasing costs, and adding weight. Moreover, the ECUs in vehicle control systems have limited resources and computing power due to manufacturing costs. It can make it difficult to operate certain functionalities, such as encryption and hashing algorithms used for message authentication. Therefore, the proposed security solution should investigate a way to optimize resource usage for efficient processing in this resource-constrained vehicle control environment.

Second, to ensure safe driving, it is crucial to meet the requirements for real-time processing of control data sharing in the in-vehicle network. While sharing control data for message authentication is an essential operation, it must not interfere with or burden the transmission of regular driving control data. When considering the implementation of CAN, several parameters vary depending on the automotive manufacturer: (1) the definition of message priority in main segments, (2) the design of the mapping between transmitting and receiving ECUs, and (3) the transmission timing (i.e., periodicity) for messages. These examples are typically documented in a CAN database (i.e., CANDB) [24,25]. To meet real-time processing requirements, this paper defines the time interval dictated by the environment as at least 5 ms. Real-time operation is considered satisfied if all processes required for each authentication are completed, meaning they are performed within this time interval [26]. The time interval is defined as the minimum value among them since the transmission of CAN messages defined in the CANDB occurs with a minimum period of 5 ms and a maximum period of 100 ms, which is typically used in automotive powertrains and chassis. It indicates that both the transmission of CAN messages as specified in the CANDB and the additional integrity verification should be completed within a minimum of 5 ms for each message. Therefore, we define that the proposed security solution satisfies the requirement of real-time processing when both the transmission of each message and the execution of security functions for each message are completed within 5 ms, which is the minimum time interval specified in the CANDB.

Third, in the case of message authentication on the existing CAN mechanism, it is essential to share certain additional information used for message authentication between the transmitting and receiving nodes, while also sharing the driving control data as mentioned earlier. Moreover, the information used for message authentication should be transmitted with the control data without delay for driving. The proposed security solution investigates the optimal method to share the information used for it, based on the understanding of the mechanism of the CAN protocol. The CAN protocol offers limited space for sharing control data in the data field of a CAN frame, and each CAN frame has a short transmission period. Furthermore, all fields of the CAN data frame, except the data field, are automatically controlled by the CAN transceiver for bitwise arbitration, error detection, and acknowledgment (ACK) response functions. As a result, we cannot modify any fields other than the data field to apply security functionality. Therefore, the most efficient approach is to exploit the remaining limited space, excluding the area occupied by the control data in the data field, for the message authentication information. This means that the size of additional information required for message authentication is influenced by the size of the control data within the data field of the CAN frame.

Fourth, we do not prevent the exposure of the information used for message authentication due to the openness of the CAN bus while message authentication is performed. Therefore, we should consider the possibility that an adversary could detect patterns in the information used for message authentication if they eavesdrop on the communications on the CAN bus for a long period. Note that the control data transmitted via CAN tend to have unchanging content for a given time. In other words, since control signals are continuously transmitted even in an environment where the driving situation remains unchanged, most of the control data generated during driving in this condition exhibit little variation. It only changes when the driver intends to control the vehicle’s functions and operations, and the updated status value is continuously maintained until the next change. Meanwhile, the information used for message authentication is derived from the control data to determine whether the message is in an abnormal state. Since the repeated transmission of the same driving control data aids in identifying a pattern, improving the randomness of the generated information is necessary.

2.3.1. Problem Definition in Using Symmetric Keys

Message authentication as one of the security solutions is generally based on a symmetric key used for a cryptographic hash function (CHF). The symmetric key operates by sharing a single secret key between both parties. This method is powerful because it allows for efficient data processing and resources utilization.

The effectiveness of a symmetric key-based approach depends on a key management mechanism that includes key generation, distribution, and updating. This is fundamental to achieving authenticity and confidentiality in security solutions. The confidentiality of a secret key refers to the condition in cryptography where the secret key is protected from being exposed to unauthorized nodes [27]. To provide confidentiality of a secret key, the distribution of a new secret key should be carried out on a secure dedicated channel or over a cryptographic protocol. One simple mechanism for key distribution is to pre-share the key through a secure channel before the commercial vehicle is released. However, if the same secret key is used continuously, it may be vulnerable to traceability. Therefore, a new secret key should be periodically updated and redistributed to avoid prolonged use of the same secret key. The key distribution mechanism is proposed to distribute the secret key periodically in order to ensure its freshness [28,29]. This technique minimizes key exposure but requires authenticating the key distribution node to ensure the security and trustworthiness of the key.

Indeed, using the symmetric key method introduces challenges in key management when aiming to provide a high level of security. In particular, if the security features based on symmetric keys are enabled for CAN, the main vulnerability lies in the high likelihood of the secret key being exposed or stolen during the key distribution over the shared CAN bus channel. It is not easy for CAN to ensure a high level of security since the new secret key is not distributed through a secure, dedicated channel or over a cryptographic protocol. This introduces implicit risks that may compromise its confidentiality. In addition, when communicating with multiple users, such as in the case of the CAN bus, key management becomes more complicated when all users use the same secret key. This complexity arises from factors such as the length of the secret key, its range of use, and its validity period.

2.3.2. Chaotic System for Key Generation

For authentication using these existing mechanisms, such as digital signatures, encryption, and OTP (One-Time Password), a random number generator (RNG) is used to generate a secret key as part of a sequence of numbers that appear random. An RNG is a deterministic generator, in which its value may be traced back or predicted under the condition that the initial value (i.e., seed) used is exposed. Therefore, it is necessary to vary the initial value for the random number generator to enhance its security.

Recent efforts have focused on authentication and key generation using chaotic maps [30,31,32]. A key authentication mechanism has been designed based on a chaotic map to prevent keys from being forged or modified in a public key-based encryption system [30]. This mechanism requires key verification before using a key. Additionally, a key generation mechanism utilizing chaotic cryptography and logistic maps has been developed [31]. It aims to increase the complexity of key generation, reducing the likelihood of the key being decrypted by an adversary, rather than fundamentally preventing key exposure. There is a study that proposes an authentication and key agreement method based on a chaotic map [32]. However, this system has limitations in that it requires a central system for server and user registrations, and all information generated through registration must be shared through a secure channel. A chaotic system is typically defined as a nonlinear dynamical system in which the output is not directly related to the input [33]. Specifically, the dynamical systems with discrete time, which are derived from the iterative formulas, are typically classified as chaotic maps. This means that discrete-time dynamical systems, which are computed iteratively, are considered to exhibit chaotic behavior. Consequently, the behavior of a chaotic system can be mathematically modeled during its chaotic process.

The mathematical model representing the chaotic maps is described with initial conditions and chaotic parameters. The behavior of the chaotic system appears disordered due to its sensitive response to its initial conditions. In addition, small variations in the initial conditions can lead to significant differences in the systems’ outcome. As a result of these characteristics of chaotic maps, chaotic maps generate complex and unpredictable sequences. Moreover, the system’s outcome exhibits a cumulative effect, with multiple iterations of the modeled chaotic system influencing the consequence. These properties make chaotic maps particularly useful in security applications such as hash functions, encryption, and block ciphers. In this paper, we focus on leveraging the sensitivity of chaotic systems to chaotic parameters and initial conditions to generate a secret key each time. This sensitivity contributes to the non-periodicity and pseudo-randomness exhibited by chaotic systems.

2.4. Our Approach

In this paper, to meet this requirement of real-time processing, the proposed solution is designed to be lightweight and efficient, ensuring a high level of security during driving. To achieve that, we focus on designing the proposed security functions to be performed at a higher layer of the CAN protocol, without modifying the operation of the existing CAN protocol. In addition, we exploit CHF to generate additional information for message authentication, which has a variable length to fit into the data field. To enhance the randomness of the used symmetric key, a chaotic system is employed when using CHF.

We propose a new method for synchronizing the sequence of symmetric keys even when the symmetric keys are independently generated using a chaotic system between both parties. This approach focuses on generating a symmetric key independently and generating it anew for each transmission, rather than sharing it periodically between both parties. We call this method stateless synchronization, which does not share the symmetric key or any information to generate secret keys based on the chaotic system. Stateless synchronization refers to the process of generating keys without explicitly sharing them. Performing key generation through stateless synchronization is more secure than explicitly distributing keys. This approach reduces the risk of key exposure and enhances security in public network environments.

2.5. Attack Model

In this subsection, we assume an attack model by any adversary who tries to change a normal state into an abnormal state. This paper defines the anomaly as abnormal situations resulting from cyber–physical attacks that indicate any malicious attempt to access the vehicle’s systems and network to cause malfunctions and breakdowns during operation. In addition, more concerning is that a successful cyber–physical attack on EVs could potentially grant access to the power grid. Therefore, since such anomalies can be detected by identifying alteration or manipulation of the control data, the driving control of the EV system can be prevented from being driven into an abnormal state unintended by the driver. The adversary can perform the alterations or manipulations of the control data in the form of the following defined attacks.

A replay attack allows an adversary to copy a valid message (i.e., CAN data frame) on the CAN bus and to retransmit it after a certain period, disguising that of a legitimate node. By pretending to be from a legitimate node, the adversary intends to delay or interrupt the transmission of normal messages and burden receiving nodes with redundant processing. As a result, the reply attack forces the vehicle into an abnormal state while it tries to seem to be in a normal state. In particular, the CAN bus, which uses a broadcast method, is particularly vulnerable to replay attacks, as any adversary can naturally eavesdrop on signals and exploit them for malicious purposes.

In a man-in-the-middle attack, an adversary between two nodes intercepts their messages and manipulates their contents before forwarding them again. However, in the CAN bus, the adversary cannot intercept CAN messages because of its broadcast method. Nevertheless, in terms of manipulation, this scenario is almost identical to a modification attack, specifically a masquerade attack, as it involves transmitting modified CAN data frames using only message identifiers defined in CANDB. This attack attempts to make a normal system abnormal by transmitting maliciously modified control data pretending to be a normal node.

A Denial of Service (DoS) attack in CAN aims to monopolize the resources of the CAN bus, preventing other nodes from transmitting data over it. This results in a temporary disruption of vehicle network communication services. A DoS attack on CAN leads the CAN bus into a state where communication is not possible, known as the bus-off state, thereby compromising the availability of the communication system. Therefore, the DoS attack disrupts the regular communication of other nodes by forcing the CAN controller into a bus-off state. To put the normal state of the CAN bus into the bus-off state, the adversary deliberately triggers errors, which include ACK, CRC, bit, and form errors, on purpose. This type of DoS attack in CAN is not intended to cause anomalies in the CAN, but rather to cause obvious errors. Therefore, the adversary described in this paper is not interested in simple forms of this cyber-attack.

A fuzzing attack is randomly attempting all possible values allowed for the data field in the CAN message. In this regard, it is the same as a brute-force attack. It aims to force the system into an abnormal state after finding the correct value by systematically trying all possible combinations. In this paper, an adversary can exploit the data collected from CAN to perform the fuzzing attack. It may try the possible value which is one of numerous values in the range of 0 to ($2^{64}$ − 1). Note that, in CAN, the information contained in each CAN message is determined by the identifier field of the CAN data frame. Therefore, assuming the adversary can eavesdrop on the communication, they perform a fuzzing attack with the given identifier obtained through eavesdropping. Considering the payload within a CAN data frame of eight bytes and the short interval of the transmission in CAN, it can be very vulnerable to fuzzing attacks.

Hence, in this paper, the adversary is interested in replay, modification, and fuzzing attacks and injects them into the CAN bus to drive the vehicle into an abnormal state contrary to the driver’s intention.

3. Proposed Methodology

In this paper, we propose a novel anomaly detection mechanism (RALAD) that is adaptive and lightweight while supporting real-time processing for CAN. To detect anomalies, RALAD focuses on identifying anomalies as an unusual state caused by cyber–physical attacks, which represent any malicious efforts to infiltrate the vehicle’s systems and network, aiming to disrupt operations or induce malfunctions. Therefore, RALAD is designed to verify the data integrity of each transmitted CAN message using a symmetric key based on the chaotic system, detecting anomalies. The proposed RALAD exploits the combination of (1) the discrete chaotic map, (2) the CHF, and (3) the variable length of the information required for message authentication. Based on this design, RALAD is capable of providing a lightweight, fast, and adaptive response to treat unexpected situations. It is implemented as one part of a suite of software security solutions and operates on top of the CAN protocol layer.

Additionally, in symmetric key-based authentication, it is more important for a secret key to achieve reliability, novelty, and confidentiality under the condition that the length of the information for message authentication is insufficient for a high level of security. To address this challenge, we deploy three strategies. The first strategy is to limit the range of use for the symmetric key to achieve high reliability. The second strategy is to use a different secret key for each transmission to achieve its novelty. The third strategy is that the generated secret key is never explicitly shared within the given group. It leads to achieving its confidentiality without encryption.

3.1. Overview of the Proposed Anomaly Detection

In this paper, achieving real-time processing means that message authentication should be completed within 5 ms since it is the minimum interval for the message transmission over the CAN bus [24,25]. Considering the computational overhead for message authentication and transmission over the CAN bus, first, RALAD generates the information required for message authentication in the form of a keyed-hash message authentication code (HMAC) [34]. It is a small data block attached to the transmitted message. Second, RALAD exploits CHF to generate the HMAC.

RALAD transmits the control data and HMAC at the same time so that it achieves message authentication without delay. However, when supporting security functionality, exploiting the CAN frame is limited due to the short length of the data field. The length of the control data inserted into the data field can vary depending on the type of control information. It can be up to a maximum of 8 bytes. Therefore, to carry HMAC while transmitting the control data, we have no choice but to use the remaining space except for control data in the data field. This means that the length of HMAC differs for each message, within the maximum of 8 bytes, depending on the length of the control data. This adaptive and dynamic length of HMAC is used to confuse adversaries and contributes to improving the security of the generated HMAC.

Therefore, message authentication to be performed in real time includes the generation of HMAC based on CHF, the transmission of HMAC with the control data over the CAN bus, and the verification of data integrity for the transmitted message [35]. After the transmitting node sends the message along with the generated HMAC, the receiving node generates its own HMAC for the received message and then compares it with the HMAC of the transmitting node. If the comparison results in a match, it determines that the message is genuinely sent from the transmitting node and is not altered. If they do not match, the message is immediately excluded from the driving control. Finally, verifying the message authentication and data integrity is completed. This design allows RALAD to operate on the upper layer without modifying the existing CAN protocol and can be implemented without adding complex hardware.

In RALAD, HMAC (${\mathsf{\Delta }}_i^k$) to be generated by either the transmitting node $t$ or the receiving node $r$ at the $i$-th transmission is given as:

$${\mathsf{\Delta }}_i^k=f_h^{{\eta }_i}(f_h^{{\eta }_i-1}\dots (f_h^1(x_i^k,{\omega }_i^k)\left)\right),k=\left\{t,r\right\}$$

(1)

where $f_h$ is the CHF, ${\eta }_i$ is the number of iterations of the CHF, and $x_i^k$ is the secret key of node k. In Equation (1), the control data are denoted as ${\omega }_i^k$ at the $i$-th transmission and $k=\left\{t\right\}$, since the control data are transmitted only by the transmitting node $t$.

The transmitting node $t$ generates the fixed size of the HMAC ${\mathsf{\Delta }}_i^t$ as the result after ${\eta }_i$ iterations of the CHF ($f_h)$ with the initial values of the secret key ($x_i^t)$ and the control data $\left({\omega }_i^t\right)$ at the $i$-th transmission. This ${\mathsf{\Delta }}_i^t$ is included in the data field of CAN frame along with the control data (${\omega }_i^t)$, as shown in Figure 2. The receiving node $r$ compares its own results $\left({\mathsf{\Delta }}_i^r\right)$ to that (${\mathsf{\Delta }}_i^t)$ of the received CAN frame. Its HMAC (${\mathsf{\Delta }}_i^r)$ is generated according to the same Equation (1), where it uses the control data (${\omega }_i^t)$ in the CAN frame received from $t$ and its own secret key $\left(x_i^r\right)$. In addition, as shown in Figure 2, when the transmitting node sends a CAN frame, it also inserts the chaotic map number $c$ along with HAMC into the data field of the CAN frame. At that time, if the length of HMAC is longer than the remaining space of the data field, the leading part of that is extracted and attached into the data field. While generating the HMAC, the used values of the secret key and the number of iterations are generated using one of four chaotic maps. The attached chaotic map number $c$ serves as the identifier of the chaotic map selected for each transmission. Note that the secret key used for the transmitting and receiving nodes is given by the same value due to the use of the same chaotic map. Therefore, they do not share a symmetric key. The same key is simply and synchronously generated by the chaotic map on each side.

3.2. First Strategy: Secret Key Only Valid to a Virtual Group

To achieve high reliability of the symmetric key, RALAD limits the range of use of the symmetric key. In CAN, there is a conceptual group. According to the CANDB of each manufacturer, many conceptual groups are naturally formed, consisting of one transmitting node and several receiving nodes. To control driving safely, a given receiving node is interested only in the control data of the specific message from the transmitting node after it starts its operation. In other words, each receiving node only receives messages with some identifiers that it is interested in. Therefore, multiple receiving nodes interested in a certain message and one transmitting node form a multicast group. However, this group does not have a formal entity and is not explicitly organized. In other words, it does not go through any procedure to form a multicast group. This paper refers to this conceptual multicast group as a virtual group. Moreover, since one receiving node may be interested in various messages from many transmitting nodes, it can belong to different virtual groups at the same time. Consequently, the number of the virtual groups depends on the number of messages from the transmitting nodes defined in the manufacturer’s CANDB.

RALAD exploits this virtual group so that all nodes belonging to the given virtual group use the same secret key. This is because the transmitting node in the virtual group determines the chaotic map to generate a new secret key. Limiting the validity range of the secret key contributes to achieving its reliability. Due to using a different key for each virtual group, the chances of a successful attack using the key are reduced even though the key is exposed. This method also simplifies key management.

3.3. Second Stategy: Chaotic Map-Based Secret Key Generation

To generate a secret key, RALAD employs one-dimensional chaotic maps as a deterministic pseudo-random number generator [36]. The RALAD-enabled node uses a chaotic system representing discrete-time nonlinear dynamical systems. RALAD exploits the feature of high sensitivity to initial conditions to generate a series of secret keys without periodicity or repetition. The chaotic maps are identified with the following chaotic properties: (1) ergodicity, (2) non-periodicity, (3) unpredictability, and (4) sensitivity to initial conditions and parameters [37,38,39,40,41,42,43]. It is important to note that the chaotic pseudo-random number generator cannot be reproduced unless the exact values of the initial conditions and parameters are known. Furthermore, its output varies depending on the number of iterations, even if the initial conditions and parameters are exposed. Therefore, when the secret key is generated through the iteration of chaotic maps, during the first phase, the initial value is designed to be used only once to create the first value in the sequence of secret keys. Starting from the second phase, the initial value is intended to be changed to a new one in RALAD.

In this paper, the values of initial conditions and parameters are distributed as pre-shared values of a chaos-based cryptographic system in the manufacturing state, which are used only once in the first phase. To generate a secret key for each transmission, RALAD uses one of the following one-dimensional chaotic maps: logistic mapping, tent mapping, sine map, and cubic map. The governing equations of each chaotic map are described in (2) to (5), respectively,

$$x_{\eta +1}^c=\lambda x_{\eta }(1-x_{\eta }), \lambda =3.99$$

(2)

$$x_{\eta +1}^c=\left\{\begin{array}{c}\lambda x_{\eta }, If x_{\eta }>0.5 \\ \lambda \left(1-x_{\eta }\right), if x_{\eta }\le 0.5\end{array}\right. ,\lambda =1.97$$

(3)

$$x_{\eta +1}^c=\lambda sin\left(\pi x_{\eta }\right), \lambda =0.99$$

(4)

$$x_{\eta +1}^c=\lambda x_{\eta }(1-x_{\eta }^2) \lambda =2.59$$

(5)

where $c$ is the chaotic map number, $\eta$ is the number of iterations, and $\lambda$ is the system parameter value in a chaotic range [44].

For each transmission in a given virtual group, RALAD uses the chaotic map number ($c$, $0\le c\le 3$) to choose one of four chaotic maps. The chaotic map number ($c$) is calculated using the modulo operation from the determined iteration number (${\eta }_i)$. The iteration number ${\eta }_i$ for the $i$-th transmission can be determined from a pseudo-random number generator (i.e., linear congruential generator) with the seed of the initial condition $x_0$ in the first phase. The selected chaotic map with the given $x_0$ after ${\eta }_i$ iterations finally generates a new value ($x_{{\eta }_i}$) that serves as the secret key ($x_i^k$) used for the CHF ($f_h^k)$.

As shown in Figure 3, which illustrates the key generation mechanism based on chaotic maps, the chaotic map corresponding to a given chaotic map number is denoted by $f_{cm}^{\eta }\left(x_o,\lambda \right),$ where $x_o$ represents the initial condition for $i$-th transmission and $\lambda$ is the system parameter. This means that the chaotic map requires the initial condition ($x_0$) as the first value for Equations (2)–(5). During the first phase, that is, the first transmission, RALAD assumes that all nodes on the CAN bus use the pre-defined initial condition ($x_0$) that are shared in advance. However, this initial condition is never used again because we update it to a new value. From the second phase, the initial condition is changed to the result ($x_{\eta +1}^c$) of the selected chaotic map ($c$) performed during the previous transmission. This indicates that the secret key is input again to the new initial condition ($x_0$) for the given chaotic map. To help clarify our mechanism, Figure 3 depicts the process when $j$ is the current number of repetitions.

Hence, RALAD ensures the novelty of the symmetric key by generating a new secret key for each transmission and then discarding it. This secret key is used as a one-time key. By using this one-time secret key, each receiving node in the given virtual group independently performs anomaly detection whenever a message is received from the transmitting node. These characteristics make it difficult for an adversary to authenticate maliciously modified messages even though it captures legitimate messages on the CAN bus.

3.4. Third Stategy: Stateless Synchronization

To prevent key exposure, the generated secret key is not explicitly shared in a given virtual group. Furthermore, the state used to generate the symmetric key is also not exchanged. The state refers to information that a node maintains or manages internally during key generation based on chaotic maps, such as initial conditions, parameters, and the values of internal variables through an iterative formula.

In RALAD, all nodes within a given virtual group independently generate a single sequence of secret keys using one of the predefined chaotic maps. This process relies on the deterministic nature of the chaotic map, along with carefully chosen initial conditions and parameters, which are identical across all nodes. In addition, RALAD changes the initial conditions into different conditions derived from the last value of the previous phase so that it reduces predictability and increases randomness. Even though the initial conditions are changed, the complexity of the key generation process does not increase, and the level of security provided is maintained. Moreover, the nodes in a given virtual group do not require any state exchange or sharing while generating the sequence of secret keys. Therefore, in this paper, this key generation and synchronization is referred to as stateless synchronization. Despite operating independently, the inherent properties of the chaotic map ensure that all nodes remain synchronized while generating the same sequences. This approach enhances security by reducing the risk of interception or manipulation during state sharing.

The stateless synchronization in RALAD is based on a chaotic map number ($c$) that is selected randomly for each transmission. This value is appended to the data field along with the HMAC by the transmitting node within the given virtual group, as shown in Figure 2. In this way, RALAD eliminates the risk of exposing the secret key against adversaries. There is no need to share a new secret key to ensure novelty, as each side independently and simultaneously updates its secret key, which is denoted as $x_i^k$ in Equation (1), of the same value.

4. Performance Evaluation

In this section, we evaluate the performance of RALAD within the in-vehicle networks, which are constructed with a representative testing software tool commonly employed by automotive manufacturers and ECU suppliers, along with a message set of the SAE benchmark [23,24].

4.1. Experimental Environment with RALAD

To implement the proposed RALAD-enabled node, several one-dimensional chaotic maps, such as the logistic map, tent map, cubic map, and sine map, are used. The linear congruence method is adopted as the pseudo-random number generator, and the MD5 method is used as the CHF. The CAN protocol is implemented in the in-vehicle network using CANoe Pro 17.0, which is the representative testing software tool, and CAPL (Communication Access Programing Language).

To evaluate the robustness of our RALAD, the experimental environment emulates an automotive network system with high fidelity to actual automotive networks. In our experimental environment, the in-vehicle network consists of a total of five ECUs that are derived from SAE benchmark [24,25]. Among them, the marked V/C ECU transmits messages to the marked Driver ECUs. The other ECUs, which act as adversaries, transmit cyber-attack messages at regular intervals to the normal ECUs, as shown in Figure 4a. Figure 4b presents a snapshot of data of CAN data frames transmitted by these ECUs. It assumed that the legitimate ECUs have the initial condition ($x_0$), which is used the first time to start the selected chaotic map. This is because the values of the initial conditions and parameters are already stored in each ECU’s memory by the manufacturer, as mentioned above. Even if an adversary infects an ECU and learns the initial condition stored in its memory, it cannot generate the sequence of secret keys. It is noted that the value of the initial condition is not used alone; the stateless synchronization mechanism combines it with other elements to generate a secret key.

Through the CAN bus, the three adversaries eavesdrop on the message transmitted by the normal ECUs. The experimental environment is designed to ensure the bus load rate does not exceed 70%. This is because the CAN bus enters a bus-off state when the bus road rate increases over 70% [45,46,47]. The data field in the transmitted CAN messages contains all of the control data and the HMAC calculated within the given interval. In experimental results, there are no cases where the calculation time of the HMAC is over the minimum interval time of 5 ms.

In this evaluation, three adversaries independently inject replay, modification, and fuzzing attacks into the CAN bus according to the attack model described in Section 2.4. Each regular node transmits normal messages for about 30 minutes at intervals of either 5 ms, 10 ms, or 100 ms while the adversaries inject cyber-attacks at their respective intervals, with some variations added to regular intervals. In particular, in the replay attack, as the adversary should follow the regular transmission interval of the eavesdropping message, it injects the replay attack with a certain amount of delay.

In the total number of transmitted messages, there are three configurations with the average ratio of normal messages to cyber-attack messages: (1) 9:1, (2) 5:5, and (3) 3:7. Our experiments are conducted in an environment where each CAN bus load ratio is set to 0.1, 0.3, 0.5, and 0.6, respectively.

4.2. Experimental Results

We evaluate the performance of RALAD by measuring its detection rates for three distinct types of cyber-attacks that cause anomalies. All results concerning the increasing bus load rate of the CAN bus are presented. As the bus load ratio increases, both the total number of transmitted messages and the number of injected attacks naturally increase, increasing the stress of the RALAD-enabled system. In addition, the bus load rate depends on total transmitted bits, which are calculated by the sum of the injected cyber-attacks and the normal messages transmitted. In CAN, as the bus load rate increases, the frequency of transmission collisions over the CAN bus also rises. This leads to message retransmissions, reducing the number of messages that can actually be transmitted due to them. Moreover, due to CAN’s arbitration mechanism, lower-priority messages (i.e., those with a high identifier value) are less likely to be transmitted. It negatively affects the overall number of messages to be transmitted as the bus load rate increases.

Figure 5 illustrates the anomaly detection ratio against the abnormal message of the replay attack as the bus load ratio increases under different abnormal message ratios of 0.1, 0.5, and 0.75 relative to the total messages sent. Figure 5a presents that, even as the bus load ratio increases, the detection ratio for replay attacks consistently maintains a perfect detection ratio.

In Figure 5b, as the bus load ratio increases from 0.1 to 0.6, the total number of messages transmitted decreases from approximately 1.2 million to around 600,000. This reduction is caused by congestion, retransmission, and arbitration, as described above. The number of replay attacks is significantly higher than in that of Figure 5a. It intends to burden the RALAD system. However, RALAD is capable of detecting abnormal states caused by all replay attacks, even under these challenging conditions. Figure 5c further demonstrates that detection performance remains robust under high bus loads and a large number of replay attacks. Although RALAD needs to consume more resources to identify replay attacks as abnormal messages within the many transmitted messages, it consistently operates correctly against replay attacks. It is seen that RALAD identifies replay attacks with 100% of the detection rate even though they are transmitted with minimal delays that mimic normal messages occurring in CAN networks. Furthermore, it is observed that an increase in the total number of messages, due to a higher ratio of replay attacks, does not impact the detection performance.

Figure 6 shows bar graphs labeled (a), (b), and (c), which depict each result of the anomaly detection ratio against modification attacks under different bus load ratios. Modification attacks are injected by modifying the intercepted content. As these attacks have a little delay and are injected with various data, similar to fuzzing attacks, these attacks are more sophisticated than replay attacks. Nevertheless, it is seen that all results, as shown in Figure 6, have 100% detection rate. In the case of modification attacks, the RALAD mechanism performs robustly by successfully detecting all anomalies caused by modification attacks, regardless of the bus load or cyber-attack ratios.

Figure 7 illustrates the performance of RALAD in identifying anomalies caused by fuzzing attacks. Fuzzing attacks attempt to modify data by considering all possible cases of success. Since fuzzing attacks are frequently injected at random intervals, their transmission timing may coincide with that of regular messages. In addition, fuzzing attacks may have a higher success ratio compared to the other two types of cyber-attacks because they randomly inject a large volume of random data into the system. Therefore, the detection of fuzzing attacks on time is useful for determining whether RALAD is operating safely and comprehensively, as these attacks employ a variety of random data and random timing for transmission. As shown in Figure 7, RALAD demonstrates good performance in anomaly detection, regardless of the bus load or attack ratio. In particular, as depicted in Figure 7c, while the total number of messages sent does not significantly change with increasing bus load due to frequent collisions, the proportion of detected fuzzing attacks remains perfect. Therefore, this result highlights the stable performance of RALAD, even under high cyber-attack ratios and increased bus load. An increase in the bus load, which reflects a greater amount of data processed by RALAD, does not compromise its detection capability.

We present the false-positive results for each type of cyber-attack in the anomaly detection performance of RALAD, as shown in

Table 1. False positive rate of the proposed anomaly detection.

Bus Load Ratio	0.1	0.5	0.75
Replay attack	0%	0%	0%
Modification attack	0%	0%	0%
Fuzzing attack	0%	0%	0%

. It is seen that RALAD does not produce any false-positive detection against any of the attacks.

As a result of performing all three attack models with varying transmission intervals, the receiving ECUs have failed to authenticate all cyber-attack messages. This indicates that RALAD detects all anomalies with a 100% success rate. This outstanding result is attributed to the chaotic map-based method, which modifies the initial conditions for each message and updates the secret keys for every transmission, causing the HMAC to change frequently and making it difficult for adversaries to predict.

5. Conclusions

To conduct real-time adaptive and lightweight anomaly detection, this paper proposes an anomaly detection mechanism (RALAD) based on a chaotic system to enhance the security of in-vehicle networks in EVs. RALAD effectively responds to anomalies caused by various cyber–physical attacks with its lightweight structure and real-time processing capability. RALAD is a practical security solution that detects abnormal messages based on message authentication with a one-time symmetric key and chaotic map-based stateless synchronization. These characteristics prevent an adversary from authenticating the maliciously modified messages, even though it captures legitimate messages on the CAN bus.

Experimental results show that RALAD achieves a 100% detection success rate across all attack models, which significantly contributes to ensuring the safe operation of EVs by maintaining the normal state of control. Additionally, this mechanism can be implemented without changing the structure of existing vehicles, minimizing manufacturing costs and design constraints. We plan to expand the application scope of RALAD and verify its performance in various industrial environments.